This is a plain-text starter — no server, no database, no build step, no telemetry. The risk is about what you put into it.
- API keys and machine-local config belong in
.claude/settings.local.jsonand.mcp.json— both are gitignored. Copy the committed.claude/settings.local.example.jsonand.mcp.json.exampleto start. - A PreToolUse hook (
.claude/hooks/protect-files.sh) blocks the agent from writing to.env*, keys, andsettings.local.json. - Install the commit guard once so a secret can't slip into a commit:
ln -s ../../.claude/hooks/pre-commit-guard.sh .git/hooks/pre-commit
- The
demo/data is fictional by design. The safe way to present or share is to run fromdemo/. - Don't commit real prospect names, deals, or meeting notes to a repo you intend to publish — that is third-party personal data.
- Before you flip a fork to public, run the pre-launch scrub checklist — copy-paste commands that scan the working tree and full git history for secrets and other people's data.
Found a security issue with the starter itself (e.g. a hook that could be abused)? Please open a private report via GitHub → Security → Report a vulnerability, or open a regular issue for anything non-sensitive.